Court case 10 As 190/2020 - 39 – Court Ruling (Czech Republic, 2022)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
A Czech court upheld a fine against a hospital for not having enough security measures to protect personal data, as required by the old data protection law. The hospital argued that the newer GDPR rules would have been more favorable, but the court disagreed. This case shows that older laws can still apply if they were in effect at the time of the violation.
What happened
The court upheld a fine against a hospital for insufficient data security under the old Czech data protection law.
Who was affected
The hospital that failed to implement sufficient security measures to protect personal data.
What the authority found
The court confirmed the fine, stating that the older data protection law applied at the time of the violation, not the newer GDPR.
Why this matters
This case highlights that older data protection laws can still be enforced if they were applicable at the time of a violation. Organizations should ensure compliance with the laws in effect during the time of their actions.
GDPR Articles Cited
National Law Articles
In 2018, the Czech DPA held that the controller, a hospital, had violated the duty to implement sufficient security safeguards under § 13 of the Czech Law on Data Protection 2000 (implementing the Data Protection Directive). The DPA issued a fine of 1,634 EUR to the controller. The controller requested a judicial review of the DPA's decision. In 2020, the City Court of Prague (MSPH) confirmed the DPA's decision. The controller subsequently requested a judicial review at the Supreme Administrative Court (NSS). The appeal's main line of argument was that under Article 40(6) of the Czech Charter of Fundamental Rights and Freedoms, the court must apply a legal act enacted after the relevant events had taken place, provided that it is more favourable to the offender. In the specific case, the controller claimed that the MSPH should have applied the new law, namely the GDPR and its implementing act - the Czech Law on Data Processing 2019 - instead of the old Law on Data Protection 2000. The controller considered the former to be more favourable in two respects. First, the controller considered that it would not have been found in violation of the duty to implement sufficient security standards under Article 32 GDPR in the same way as it was found to be under § 13 of the Law on Data Protection 2000. This is because the controller's duty to "keep electronic records" under § 13(4)(c) of the Law on Data Protection 2000§ 13(4)(c) stipulates that the controller must "keep electronic records that make it possible to identify and verify when, by whom and for what reason personal data were recorded or otherwise processed". is nowhere to be found in Article 32 GDPR which does not explicitly refer to such a specific obligation and is therefore more favourable. Second, the controller argued that even if it had been a violation of Article 32 GDPR, the DPA or the court could not have issued a fine against it. Indeed, under § 62(5) of the GDPR implementing act - the Law on Data P
Outcome
Court Ruling
A ruling by a national court on a data-protection matter.
Related Cases (0)
No other cases found for Court case 10 As 190/2020 - 39 in CZ
This is the only recorded case for this entity in this jurisdiction.
Details
About this data
Cite as: Cookie Fines. Court case 10 As 190/2020 - 39 - Czech Republic (2022). Retrieved from cookiefines.eu
Last updated: